A lot of company data is lying around unprotected, making it very easy to steal. No, I’m not talking about picking up other people’s documents at the printer. Stealing printouts isn’t hard, but it can be risky, especially if the printer is a busy one. Besides, it has 2 other problems:

Your chances of picking up confidential data are low at any given time.

The person will look for the printout and wonder what happened to it.

There’s a much better way that is fast, easy, simple, raises no suspicion, and is basically impossible to detect, if you do it correctly. Can you think of what it is?

The easiest way to steal sensitive documents is to take them out of that little cardboard box on everyone’s desk, you know, where the most sensitive data is collected for shredding, called a shred box (if this just a U.S. thing?). And even when the bin is stuffed, the documents sometimes sit there until the end of the day; often, it sits for days and nights and sometimes weekends.

How to Steal Confidential Data

Here’s how to do it: walk up to the person’s desk, take a handful of papers from their shred box, place the papers under some of your papers (which were in your other hand), and walk away. Takes less than 10 seconds. This works whether you’re an employee of the company, a contractor, or just a visitor. Of course, if you’re an auditor or security pro for the company, this event is just a normal audit procedure.

This procedure is best because 1) you know the data is confidential because it’s in shred box, and 2) the person will never miss it because she was going to shred it anyway, and her mind has already discarded it from memory. At the same time, it’s a best practice to always leave a few papers in the person’s shred box so that the person doesn’t notice it’s empty. Even if she notices, it doesn’t matter because you’re long gone.

Risk vs. Rewards

The main risk in this procedure is that you have to enter a person’s cube/office, and someone might remember seeing you–not much of a risk, especially since you normally visit people every day.

However, if someone surprises you, just drop all the papers from your hand onto the desk, making sure some fall on the floor. Then say, “Wow, you startled me, and I made a mess”. Then clean up and you’re on your way. Just make sure you have a reason for stopping by in the first place (like, “do you want to have lunch tomorrow” or “I thought this was Jo McKennzy’s desk”).

Like I’ve said before, if you do this as an audit test, make sure you have a GOOJ card to avoid trouble. If you do this to be malicious, you’re on your own.

Preventing Data Theft

To prevent people from lifting your confidential data from your personal shred bin:

Don’t use the shred box your company gives you for your desk (the one with the annoying logo) or throw confidential papers in an open box under your desk. Instead, throw these papers:

1) into a box in a drawer you keep shut, or2) in an unmarked (or mismarked) folder standing upright on top of your desk, nestled among other folders, or3) use the lower tray of a multi-level “inbox” tray. Sometimes, the best place to hide something is out in the open, especially when “it” looks like everything else. Some will call this “security by obscurity”, but I’m assuming you will also heed the next 3 items also.

Empty your shred bin at least when you go to lunch and before you leave for the day. Get in the habit of doing it every time you go to the printer, and teach your employees the same.

Never allow others to empty your personal shred box, as in “Hey, Mack, I’m doing my weekly run to the shred bin, can I save you a trip?” This may just be a disguised request to look through your papers. Even if it’s your buddy, always manage your own security, and in this case, that means shred your own confidential data.

Don’t print so much paper in the first place.

I realize none of this is ground-breaking, but at the same time it doesn’t seem to be common sense either. It should be.

Other Not-So-Conventional Ways to Steal Data

Here’s some other ways to get your hands on someone else’s data:

Wastebasket diving – still no audit trail, but you have to lower yourself to do it, and your hands get yucky. Do it only after hours, and see my blog post Why a Wastebasket Audit? for more tips. You also might find the Comments it generated interesting.

Recycle bin diving – related to wastebasket diving, but on a larger scale. Recycle bins are not locked, but you have to dig through more stuff. But I’ve also found that people throw choice data in them by mistake or due to laziness.

Multi-functional printer manipulation – many companies still don’t lock down the admin password for this device’s web server, so on some printers, you can configure the printer to make copies of all documents submitted for printing, scanning, faxing, and FTPing. You can either print them later or copy them to your computer over the network. This takes a little luck, some expertise, and too much time, and leaves tracks.

To access the web server, just type the printer’s IP address (e.g., 10.10.2.220) into a web browser and press Enter. The address of the printer is often posted on the printer; if not, you can access it from the printer’s control panel under Settings.

I had to laugh at what I saw yesterday. Maintenance came by to empty the locked shred bin. The guy unlocked and open the shred bin and then dumped the big recycle paper bin into it. I said, “So we shred all non-confidential paper too, including the paper wrapper the copier paper reams come in?” He said, “I don’t know, that’s what I’m told to do, so I do it.”

Perhaps this company is paranoid about privacy, but if that’s the case, why have 2 bins on every floor (shred and recycle)? Rather, I think this just save maintenance from making 2 trips to the elevator. So I wonder how much extra we pay to shred an extra 30% a year? On one hand, it’s done by a charity, which is good, more $ for them. I hope they were vetted properly, as some of these charity-run enterprises are not well managed. On the other hand, my auditor hat insists I check it out. Stay tuned.

Hi sem3bash,
I agree that shredding everything is the best privacy policy, but is it the best financial policy? I think not. Safer, but not less expensive. Also, people are more likely to through confidential data in their own trashcan in their office rather than the recycle bin. And like I said, if you’re going to shred everything, make that the official policy and provide only 1 bin, not 2.